b"                  Office of Inspector General\n       Export-Import Bank of the United States\n\n\n\n\n     Fiscal Year 2009\nFinancial Statement Audit \xe2\x80\x93\nManagement Letter Excerpt\n\n\n\n\n                                   March 9, 2010\n                                   OIG-AR-10-03\n\x0cOffice of Inspector General\n                              EXPORT-IMPORT BANK\n                              OF THE UNITED STATES\n\nMarch 9, 2010\n\n\nThis report presents a summary of certain matters that were identified by Deloitte &\nTouche LLP (Deloitte) in connection with their audit of the financial statements of the\nExport-Import Bank of the United States (Ex-Im Bank) as of and for the year ended\nSeptember 30, 2009, on which Deloitte issued their report dated November 13, 2009.\nThese findings and recommendations were communicated to Ex-Im Bank management in\na letter dated March 4, 2010. Due to the limited distribution of the 2009 Management\nLetter, the Ex-Im Bank Office of Inspector General does not include it here.\n\nWe engaged Deloitte to perform the FY 2009 audit under a contract monitored by this\noffice. The contract required the audit to be conducted in accordance with: United States\ngenerally accepted government auditing standards; Office of Management and Budget\naudit guidance; and the Government Accountability Office/President\xe2\x80\x99s Council on\nIntegrity and Efficiency Financial Audit Manual.\n\nDeloitte issued an unqualified opinion on Ex-Im Bank\xe2\x80\x99s FY 2009 financial statements.\nAlso, Deloitte reported that no internal control deficiencies were identified and no\nreportable noncompliance with laws and regulations was found. However, Deloitte noted\ncertain control deficiencies related to Ex-Im Bank\xe2\x80\x99s internal control over financial\nreporting and other matters that Deloitte determined should be brought to management\xe2\x80\x99s\nattention. Deloitte\xe2\x80\x99s observations are summarized in this report, and Deloitte\xe2\x80\x99s\nrecommendations and management\xe2\x80\x99s responses regarding such matters are included.\n\nDeloitte is responsible for the observations and recommendations appearing in the 2009\nManagement Letter. We do not express an opinion on Ex-Im Bank\xe2\x80\x99s internal controls or\nconclusions regarding its compliance with laws and regulations.\n\n\n\n\nJean Smith\nAssistant Inspector General for Audit\n\n\n\n\n                    811 Vermont Avenue, N.W. Washington, D.C. 20571\n\x0cExcerpts of the Fiscal Year 2009 Financial Statement Audit \xe2\x80\x93Management Letter\n(OIG-AR-10-03, March 9, 2010)\n\nI. CONTROL DEFICIENCIES\n\n1. Ex-Im Online User Access Controls\n\nGeneral computer controls pertaining to the Ex-Im Online application do not effectively\nrestrict user access. Administrator level privileges were granted to individuals whose\ndaily job responsibilities do not require such access. Deloitte noted instances where\ndevelopers were granted access to commit changes to the production Ex-Im Online\napplication. These observed user access assignments do not support a segregation of\nduties among Information Management and Technology personnel. Additionally, while\nit was noted that Ex-Im Online user activities are systematically logged, there was no\nevidence that these logs are routinely monitored. Even though several of the observed\nuser access exceptions had been remediated after identification, Deloitte continued to\nnote that specific user access assignments that do not support a segregation of duties have\nbeen retained for Continuity of Operations (COOP) situations.\n\nRecommendation 1\nThe CIO should remove administrative access from users in Ex-Im Online where it is not\nrequired to perform daily job responsibilities. Administrative access should be assigned\nin a manner that supports a logical segregation of duties, and Ex-Im online administrative\nlevel access privileges should be actively monitored. In addition, the CIO should\nimplement alternative/emergency user access procedures and/or detective controls to\naddress privileged and COOP related user access risks.\n\nManagement Response\nCompletion date: December 2010\n\nManagement agrees in principle with this recommendation for large organizations.\nHowever, as we are a small agency, our staff (employees and contractors) are required to\n\xe2\x80\x9cwear many hats\xe2\x80\x9d in order to provide services under many conditions of operation. Our\nneed to support the Bank\xe2\x80\x99s COOP requires that mission essential staff have sufficient\naccess to EXIM Online to maintain continuity of operations.\n\nManagement will incorporate and enhance additional layers of reviews of logs and save\nevidences of these reviews for future audits. In addition, the Bank is planning to establish\na true HOT-COOP capability for EOL and therefore would not require the set-up of a\nthree-tier recovery mechanism.\n\nThe Bank is presently following the Federal Continuity Directives and guidelines with a\nthree-tier list of staff available for recovery (Primary, alternate and second alternate).\nThe three-tier recovery is essential in the case of flu pandemic where planning is for 40%\nabsenteeism for a period of two weeks. The CIO considers the risk of having these\nindividuals with additional accesses for recovery to be very low risk and there were no\nincidents in the last three years indicating the contrary:\n\n\n                                        Page 1 of 5\n\x0c        The OCIO does annual reviews of the lists and security access rights to ensure the\n        right balance between segregation of duties and COOP and having to operate in a\n        limited resources environment. In addition, EOL 'segregation of duties' and 'least\n        privilege' are well defined, documented, and passed our security testing.\n\n        The OCIO has processes in place to track work on EOL production. Changes are\n        authorized by management in advance and tracked via Remedy tickets.\n\n        The OCIO employs a \xe2\x80\x9cdefense in depth\xe2\x80\x9d IT security program. We have deployed\n        and use a suite of auditing and monitoring tools capable of providing all the\n        capabilities required to adequately audit and monitor both external and internal\n        user activity. Any unusual information system-related activities are investigated\n        and tracked until resolved. For example, the OCIO logs all events on the EOL\n        servers and send alerts to the security team (segregation) in case of a restart of a\n        system (which is required if the executable code was changed).\n\n        The EXIM Online Application (internal to the application) enforces separation of\n        duties through the use of role-based access restrictions.\n\n        Note: The Chief Technology Officer (CTO) is a position of trust at the Bank\n           (same as the Director of Operations and Security). The CTO is the COOP\n           primary application-level recovery coordinator and he is not involved in daily\n           EOL production.\n\n2. Subsidy Re-Estimate Calculation\n\nDeloitte noted that the sum of cash flow for a specific cohort did not agree to the outstanding\nbalance used to generate the summary file which is used to prepare the Credit Subsidy Calculator\n(CSC2) load sheet. The CSC2 load sheet is uploaded to the CSC2 provided by the Office of\nManagement and Budget to calculate each product's subsidy re-estimates. Management also\nnoted an additional issue with the linking of source data of a specific product to the summary file\nwhich caused the summary file to update incorrectly.\n\nRecommendation 2\nThe Treasurer should automate the process of preparing and summarizing cash flows used in the\nCSC2. They should perform a detailed review of the cash flow models in advance of time when\nthe re-estimate calculation is performed and should utilize a data integrity checklist to assist in the\ndetailed review to check for formulaic and linkage issues.\n\nManagement Response\nManagement agrees with the recommendation and is working to automate the process\nand preparation of the cash flows models used in the re-estimate calculation. The\nTreasurer\xe2\x80\x99s office expects to have this completed prior to the start of the FY 2010 audit.\nThese cash flow models will be reviewed using a data integrity checklist.\n\n\n\n\n                                             Page 2 of 5\n\x0c3. Accounting for Expired Transactions\n\nExpired insurances and working capital guarantees over 120 and 180 days, respectively,\nwere not removed from the accounting system as of September 30, 2009. Therefore, Ex-\nIm Bank\xe2\x80\x99s total portfolio exposure was overstated. Ex-Im uses this exposure amount to\ncalculate loss reserves; therefore, loss reserves were also overstated.\n\nRecommendation 3\nThe Controller should coordinate with IMT Office to correct the code to ensure the expired\ncontracts are properly removed from LGA system in accordance with management\xe2\x80\x99s policy.\n\nManagement Response\nManagement agrees with the recommendation and the IMT Office has already removed\nthe expired contracts from the LGA system.\n\n4. Accounting for Capitalized Interest\n\nCapitalized interest calculated on a specific loan from the Deloitte sample selection was\nerroneously recorded to the wrong loan.\n\nRecommendation 4\nThe Controller should improve the level of review of the capitalized interest calculations and\nrelated journal entries.\n\nManagement Response\nManagement agrees with the recommendation and will incorporate additional layers of\nreview into the capitalized interest process beginning in the 2nd quarter of FY 2010. In\naddition, management completed a thorough review all outstanding rescheduled credits to\nidentify and correct any other calculation errors.\n\n5. Accounting for Allowance for Capitalized Interest\n\nTransaction code (CI0C) for capitalized interest was mapped to a pre-credit reform loan loss\nreserve GL account while it should have been mapped to a pre-credit reform claim reserve GL\naccount.\n\nRecommendation 5\nThe Controller should perform a roll forward reconciliation of the allowance for credit losses\nbalance and in addition, perform an analysis of each significant component within the roll\nforward at a level of precision necessary to identify any significant error.\n\nManagement Response\nManagement agrees with the recommendation and will begin performing a roll forward\nreconciliation of the allowance for credit losses balance and an analysis of each\nsignificant component in the first quarter of FY 2010. By March 31, 2010, management\nwill also perform a manual review of all transaction code mappings to the general ledger\nto identify any potential errors.\n\n\n                                           Page 3 of 5\n\x0cII. OTHER MATTERS\n\n1. February 2009 Confirmation of Portfolio (Repeat Condition)\n\nAs of February 28, 2009, Ex-Im Bank sent confirmations of its portfolio, excluding\noutstanding balances below $20 million and rescheduled transactions. In several\ncircumstances, Ex-Im Bank was unable to reach the contract person responsible for replying to\nthe confirmations.\n\nRecommendation 6\nEx-Im Bank should complete their confirmation process prior to the date when audit\nconfirmations are prepared and sent so contact information is updated for any necessary\ncorrections. Ex-Im Bank should develop improved processes and procedures to ensure Ex-Im\nBank is timely notified of changes affecting Ex-Im Bank\xe2\x80\x99s portfolio, such as issuing an annual\nletter to the lenders requesting such information to be provided to Ex-Im Bank within a specific\ntime.\n\nManagement Response\nThe purpose of the February confirmation exercise is to compare, prior to the start of the\nfinancial audit, portfolio information in Ex-Im\xe2\x80\x99s accounting systems with information\nconfirmed by guaranteed lenders. This would obviously include contact information.\nHowever, ongoing mergers, consolidations, and staff changes in the private sector\nfinancial community have made it increasingly difficult, especially for older credits, to\nidentify a responsible contact person and obtain a response to our inquiries.\n\nManagement agrees with the recommendation to obtain a more complete response to the\nconfirmations sent for February. In preparation for the February 2010 confirmation\nprocess, the Financial Reporting Office will reach out to the Project and Corporate\nPortfolio Management division and the Transportation Portfolio Monitoring division in\nan effort to update contact information and will continue doing so on a quarterly basis\nthroughout the year. In addition, the CFO\xe2\x80\x99s office will send out a letter to lenders prior to\nthe start of the FY10 audit encouraging their cooperation with Ex-Im\xe2\x80\x99s confirmation\nprocess and requesting any changes in contact information.\n\n2. Reconciliation of Suspense Accounts \xe2\x80\x93 Cohort Allocation of Insurance Receipts\n   (Repeat Condition)\n\nAlthough the insurance receipts were properly recorded for financial statement purposes, they had\nyet to be allocated to a cohort in the financing account. Currently, insurance receipts are\nallocated manually, which is time consuming and has led to backlogs in allocating these receipts.\n\nRecommendation 7\nThe process of allocating insurance receipts to the proper cohort in the financing account should\nbe automated in order to reduce the number of unallocated items. The automated process could\nresemble the process currently used for allocation of loan and guarantee cash receipts.\n\n\n\n\n                                           Page 4 of 5\n\x0cManagement Response\nManagement agrees with the recommendation and believes that the upcoming changes to\nthe insurance interface with the general ledger (scheduled for February 2010) will enable\nthe Controller\xe2\x80\x99s office and IMT to automate the process by the end of the fiscal year.\n\n\n\n\n                                       Page 5 of 5\n\x0c"